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We propose a general method for studying properties of quantum channels acting on an n-partite 
system, whose action is invariant under permutations of the subsystems. Our main result is that, 
in order to prove that a certain property holds for any arbitrary input, it is sufficient to consider 
the special case where the input is a particular de Finetti-type state, i.e., a state which consists of n 
identical and independent copies of an (unknown) state on a single subsystem. A similar statement 
holds for more general channels which are covariant with respect to the action of an arbitrary finite 
or locally compact group. 

Our technique can be applied to the analysis of information-theoretic problems. For example, 
in quantum cryptography, we get a simple proof for the fact that security of a discrete-variable 
quantum key distribution protocol against collective attacks implies security of the protocol against 
the most general attacks. The resulting security bounds are tighter than previously known bounds 
obtained by proofs relying on the exponential de Finetti theorem m. 



In quantum mechanics, the most general way of de- 
scribing the evolution of a subsystem A (A may be part 
of a larger system) at time f to a subsystem A' at a later 
point in time t' is by application of a quantum channel. 
Mathematically, a quantum channel is a completely pos- 
itive trace-preserving (CPTP) map transforming the re- 
duced density matrix of system A at time t to pA' , the 
reduced density matrix of system A' at time t' . CPTP 
maps are used in various areas of physics and information 
theory. A CPTP map modeling a particular quantum 
communication channel, for instance, describes how the 
channel output pA' depends on the input pA- 

A common method to characterize a given CPTP map 
£ is to compare it to an idealized CPTP map J- that is 
well understood, e.g., because it has a simple description. 
For instance, given a physical communication channel 
specified by £, one may characterize its ability to reliably 
transmit messages by showing its similarity to a perfect 
channel J- characterized by the identity mapping id. An- 
other example is the analysis of information-theoretic or 
cryptographic protocols (e.g., for quantum key distribu- 
tion). Here, £ may be the action of the actual protocol 
while J- is the ideal functionality the protocol is supposed 
to reproduce. We are then typically interested in proving 
that £ is almost equal to (in quantum cryptography, 
this corresponds to proving security). 

In order to compare two CPTP maps £ and J-, we 
need a notion of distance. A natural choice is the metric 
induced by the diamond norm || • ||o [9] since it is directly 
related to the maximum probability that a difference can 
be observed between the processes described by £ and 
J-', respectively. More precisely, consider a hypothetical 
game where a player is asked to guess whether a given 



physical process is described by £ or which are both 
equally likely to be the correct descriptions. If the player 
is allowed to observe the process once (with an input of 
his choice, possibly correlated with a reference system) 
then the maximum probability p of a correct guess is 
given hy p = ^ + j\\£ — ■ In particular, if £ and 
are identical, the distance equals zero and, hence, p = | , 
corresponding to a random guess. On the other hand, ii£ 
and J- are perfectly distinguishable, we have — 2 

and p — 1. 

Here, we present a general method for computing an 
upper bound on the distance Hf — JFjlo between two maps 
£ and J^, provided they act symmetrically on an n-partite 
system with subsystems H of finite dimension. While, by 
definition, the diamond norm involves a maximization 
over all possible inputs, we show that for calculating the 
bound it is sufficient to consider (relative to a reference 
system) the particular input 
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where /i(-) is the measure on the space of density op- 
erators on a single subsystem induced by the Hilbert- 
Schmidt metric. States of the form ([T]) are also known 
as de Finetti states. They describe the joint state of n 
subsystems prepared as identical and independent copies 
of an (unknown) density operator an- Because of their 
structure, do Finetti states are usually easy to handle in 
calculations and proofs, as outlined below. 

As an example, we apply this result to the securit 
analysis of quantum key distribution (QKD) schemes 
Q. Let £ be the map describing a given QKD proto- 
col, which takes as input n predistributed particle pairs 



(which may have been generated in a preHminary pro- 
tocol step). Security of the protocol (against the most 
general attacks) is then defined by the requirement that 
the protocol £ is close to the ideal functionality T that 
simply outputs a perfect key, independently of the input 
(which may be arbitrarily compromised by the action of 
an adversary). Now, according to our main result, this 
distance is bounded by simply evaluating the map £ for 
an input of the form ([T]) and comparing the generated 
key with a perfect key. We further show that this result 
is equivalent to proving security of the scheme against a 
restricted type of attacks, called collective attacks, where 
the adversary is assumed to attack each of the parti- 
cle pairs independently and identically. Our result thus 
gives a simple proof for the statement (proved originally 
in [U, 0]) that security of a QKD protocol against col- 
lective attacks implies security against the most general 
attacks. The resulting security bounds are tighter than 
previously known bounds obtained by proofs relying on 
the exponential de Finetti theorem [l|]. 

Main Result. Let A be a linear map from End(7i®") 
to End(7i'). In particular, A may be the difference be- 
tween two CPTP maps. End(£) denotes the space of 
all endomorphisms on C, which includes the density op- 
erators on C We denote by tt the map on End(7Y®") 
that permutes the subsystems with permutation tt [ioI |. 
Our main result, the Post-Selection Theorem [Tlj . gives 
an upper bound on the norm of a permutation-invariant 
map in terms of the action of the map on a purifica- 
tion [12] T-j-^nji of the state tt^^ defined by ([1]). 

Theorem 1. // for any permutation tt there exists a 
CPTP map IC^y such that A o tt = IC-^ o A, then 

||A||o < g„,d||(A0id)(TH"7j)||i . 

id denotes the identity map on End(7?.) and gn,d = 
<{n+ lY'-\ for d ^ dim?^. 

The proof of Theorem [T] uses the following lemma 
which relates arbitrary density operators ph^k"- on the 
symmetric subspace Sym"(H ® /C) C ("W ® /C)®", for 
K, = H, to a particular purification of r-^". We de- 
fine the state t-h^k:^ = J (jfl^diaHK) on Sym"(H ® K), 
where d{-) is the measure on the pure states induced 
by the Haar measure on the unitary group acting on 
JC. We note that t-h"k:" extends the state r-^n de- 
fined in IT]), i.e., trj<;.iT>^nx;" — t-h^; the measure /i(-) 
furthermore is the one induced by the Hilbert-Schmidt 
metric on End(H) Let now T-H^K^Af be a purification 

of TH'^jc^. 

Lemma 2. For pu"K." o, density operator supported on 
Sym"' {TL ® K.) , with K, = H., there exists a trace-non- 
increasing map T from the purifying system End (A/") to 
C such that 

Pn^iC" = 9n,d (id <E) T){tu^k:^j^) , (2) 

where id is the identity map on End((7i ® AT)®") and 
d = dimTi. 



Proof. Let N ^ Sym"(H (g) K.) and let be an 

eigenbasis of ph"K"- Since, by Schur's lemma, t-h^jc" is 

the state proportional to the identity on Sym"(7i ® /C), 

th^k^M := \^){^\n^K"N' is a purification of t-^ha:", 
_ i_ 

where := ff„J Y.i ® and g„,d is the 

dimension of Sym"(7i (8) /C). Furthermore, for any basis 
vector \vi), 

where lw^|C'^ E End((H (E) /C)®") is the identity. This 
implies ([2]) with T : a tr {a pj\f), since is an 

eigenbasis of pu^JC" ■ Because T is clearly trace-non- 
increasing, this concludes the proof. □ 

Proof of Theorem [II We need to show that for any finite- 
dimensional space TZ' and any density operator pu^TZ', 

||(A ® id)(pw"K')||i ^ 9nA\\{^ ® id)(T^^..K)||i , (3) 

for some purification TT-in-ji of TT^n. In a first step, we 
show that it is sufficient to prove ^ for density operators 
Ph^ti' with support on Sym"(7-^ ® K), where /C = 7i and 
7^' = /C®". To see this, let pn^w be an arbitrary density 
operator and define the density operator 

Pn^wu" = ^ V(7r®id)(p^n7j,)® |7r)(7r|7^» , 

7r 

where the sum ranges over all permutations tt of the n 
subsystems and where {|7r)}7r is an orthonormal family of 
vectors on an auxiliary space TZ" . Then, by construction, 
the reduced state p-^n = tr-ji^-jin^p-^rijip^i') is permuta- 
tion invariant. Hence, according to [J, there exists a 
purification pn^JC" of pn^ supported on Sym"(7i®/C). 
In particular, because all purifications are equivalent up 
to isometrics, there exists a CPTP map G from End(/C®") 
to End(7^' TZ") such that pH^wn" = (id ® Q){ph^k^)- 
Making use of the assumption on the permutation invari- 
ance of A, we thus find that ||(A ® '^<^){pH^n')\\i equals 

^^||((Ao7r)®id)(pTY,.K')||i = ||(A«)id)(pw.K.K")||i 

= \\{^®g){pH^Kr^)\\^ < ||(A® id)(p„.K:")||i , 

where the last inequality holds because a CPTP map 
cannot increase the norm. It thus remains to show 
that © holds for states in Sym" /C) . By 

Lemma [2] there exists a map T such that pw^K^ — 
gn,d (id (X) T){T-H"K"Af)- Then, by linearity, we have 

||(A® id)(pw™K")||i =9nM\\i^(ET){Tn'^^c^^f)\\^ . 

Inequality ^ then follows from the fact that T cannot 
increase the norm and by setting TZ = IC^" (8) Af. □ 

Application to Quantum Key Distribution. QKD is the 
art of generating a secret key known only to two distant 
parties, Alice and Bob, connected by an insecure quan- 
tum communication channel and an authentic classical 
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channel [l^. Most QKD protocols can be subdivided 
into two parts. In the first, Alice and Bob use the quan- 
tum channel to distribute n entangled particle pairs (this 
phase may include advanced quantum protocols such as 
quantum repeaters). In the second part, they apply local 
measurements (we will restrict ourselves to the typical 
case of measurements that are independent and identical 
on each of the n pairs) followed by a sequence of classical 
post-processing steps (such as parameter estimation, er- 
ror correction, and privacy amplification) to extract i key 
bits Q. It induces a map £ from {Ha «) Hb)®" (the n 
particle pairs) to the set of pairs {Sa, Sb) of ^-bit strings 
(Alice and Bob's final keys, respectively) and C, where 
C is a transcript of the classical communication. Note 
that £ may depend on the input; in particular, £ = ii 
the entanglement of the initial particle pairs is too small 
for key extraction. 

A QKD protocol is said to be e-secure (for some small 
e > 0) if, for any attack of an adversary, the final keys Sa 
and Sb computed by Alice and Bob are identical, uni- 
formly distributed, and independent of the adversary's 
knowledge, except with probability s. This criterion can 
be reformulated as a condition on the map £. Since an 
adversary may have full control over the quantum chan- 
nel connecting Alice and Bob, we require that, for any 
input to £, the output is a pair (Sa, Sb) of secure keys 
of length £ > [15|. To make this more precise, let S 
be the map that acts on the output {Sa,Sb,C) of £ 
by replacing (Sa, Sb) by a pair (5^, Sg) of identical and 
uniformly distributed keys of the same length, while leav- 
ing C unchanged. With this definition, the concatenated 
map := So£ describes an ideal key distillation scheme 
which always outputs a perfect key pair. We then say 
that £ is e-secure if \\£ — < s. 

£ is typically invariant under permutations of the in- 
puts. However, if it is not, permutation invariance can 
be enforced by prepcnding an additional symmetrization 
step where both Alice and Bob permute their inputs ac- 
cording to a permutation tt chosen at random by one 
party and communicated to the other using the classi- 
cal channel . We can thus apply Theorem [1] with 

:= £ — T , which implies that £ is e-secure whenever 

||((£-^)®id)(rH-.K)||i <£:-e(n+l)-('''-i) , (4) 

where Ti := T-La ® H_b, where d = dim(7i), and where 
th^ti is a purification of the state t-h^ defined by H]). 

We will now employ ([4]) to show that for proving se- 
curity of a QKD protocol it suffices to consider collective 
attacks, where the adversary acts on each of the signals 
independently and identically. Using the above formal- 
ism, we say that £ is e-secure against collective attacks if 
\\{{£-J')(i)\^){(jTK)h < for any (pure) anic onH(g)/C, 
where IC = TL. This immediately implies that the same 
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bound holds for the extension r-Hn^^n = J crf^^d{cr-}iic) 
of r-H'. , 

||(£-^)®id^.(r„.^.)||i 

<ma^\\{£-T)®\d,c^{(7^l)\\i<e . (5) 

To obtain criterion ([4]), we need to show that a similar 
bound still holds if we consider a purification r-yin^n^ of 
T-Hnf^n. For this, we think of M as an additional system 
that is available to an adversary. Because M can be cho- 
sen isomorphic to Sym"(7i(8)/C), its dimension is bounded 

by {n-\- 1)''''^^. The idea is then to compensate the extra 
information available to the adversary by slightly reduc- 
ing the size of the final key. More precisely, according to 
the privacy amplification theorem (Theorem 5.5.1 of [4]), 
the protocol £' obtained from £ by shortening the output 
of the hashing by 2 log2 dim N < 2{d^ — l) log2 (fi + 1 ) bits 
satisfies 

\\{£' - T')®\AK:^j^f{K)\\i < \\{£-T)®\d|cr^®tr^r{K)\\l . 

Setting K equal to t-h^k.^^ and using ([5]), we conclude 
that \\{£' - T') (E> idK:"A/'(T'W"K;"A/')lli < e, which corre- 
sponds to (HI. We have thus shown that e-security of £ 
against collective attacks implies e-security of £' against 
general attacks. 

In the security analysis against collective attacks, the 
security parameter e can be chosen exponentially small, 
i.e., e < 2^'^^ " (for some c > 0), at the only cost of 
reducing the key size by an (arbitrarily small) fraction S 
compared to the asymptotically optimal rate. The cru- 
cial observation made in this paper is that the security 
parameter e for general attacks and e are polynomially re- 
lated (see Q). We thus find e < 2-^^'"+('''-i)i°g2(»+i)^ 
which shows that security under the assumption of col- 
lective attacks implies full security essentially without 
changing the security parameter. This security estimate 
improves on previous estimates based on the exponential 
de Finetti theorem and has a direct impact on the secu- 
rity analysis of current experimental implementations. 

Concluding remark. The technical results in this pa- 
per deal with quantum states and channels that commute 
with the action of the symmetric group on 7i®", but can 
be easily generalized to the action of an arbitrary finite 
or locally compact group G on a space V [l^l- Seen in 
the light of more general symmetry groups G, we thus 
hope that our results will find fundamental applications 
in quantum physics beyond their presented use in quan- 
tum information theory. 

Acknowledgments. RK acknowledges support by the 
NSA under ARO contract no. W911NF-05-1-0294 and by 
the NSF under contract no. PIIY-0456720. RR received 
support from the EU project SECOQC. 



[2] C. H. Bennett and G. Brassard, in Proc. of IEEE Int. 



3 



Conf. on Computers, Systems and Signal Processing 

(1984), pp. 175-179. 
[3] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). 
[4] R. Renner, Ph.D. thesis, ETH Zurich (2005), quant- 

ph/0512258. 

[5] K. Zyczkowski and H.-J. Sommers, J. Phys. A 34, 7111 
(2001). 

[6] M. Christandl, R. Konig, G. Mitchison, and R. Renner, 
Comm. Math. Phys. 273, 473 (2007). 

[7] A. Y. Kitaev, Russian Math. Surveys 52, 1191 (1997). 

[8] C. H. Bennett, G. Brassard, and N. D. Mermin, Phys. 
Rev. Lett. 68, 557 (1992). 

[9] The diamond norm is given by \\£\\<, = supj,gpj \\£ (8) idfc||i 
where := sup||^||^<;^ ||.7^(o-)||i and ||cr||i := trVo-V 

is the trace norm, id^ denotes the identity map on states 
of a fc-dimensional quantum system. The suprema are 
reached for positive a and k equal to the dimension of 
the input of f [3| . 
[10] The permutation tt on n elements acts on Ti" = 7i®" 
by permuting the tensor factors, i.e., 7r|ii ■ • ■ i„} = 
• • • for a basis {\i)} of H. The space 

of vectors invariant under the action of all tt is de- 
noted by Sym"{H). As a map on End(H®") we write 
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[13] Authenticity means that the communication cannot be 
altered by an adversary. If only completely insecure chan- 
nels are available, authenticity may be simulated using a 
short initial key shared between Alice and Bob. 

[14] This describes an entanglement-based protocol. How- 
ever, our results immediately extend to prepare-and- 
measure schemes, because their security analysis can gen- 
erally be reduced to corresponding entanglement-based 
schemes Q. 

[15] Of course, any non-trivial protocol generates keys of pos- 
itive length £ > for at least some inputs. 

[16] It is easy to see that this symmetrized key distillation 
protocol £ satisfies ICtt o £ o n = £ for any permutation 
TT, where ICtt is the operation that acts on the output 
(5a, Sb, C) by replacing the communicated permutation 
7f (in C) by non. Similarly, we have IC-no{So£)oT: = So£, 
because /C^ acts like the identity on the key pair {Sa, Sb)- 

[17] The role of H®" is taken by the space V of a finite- 
dimensional unitary representation V of G. We denote 
by g\v) = V{g)\v} the action oi g £ G on \v) & V and 
by g{p) = V{g)pV{g-^) the action on End(V). The space 
/C®" is replaced by a space W = V on which G acts with 
the dual representation, g[w) = V{g~^)'^\w) for \w) £ W. 
The role of the symmetric subspace Sym"(7i(8)/C) is then 
taken by (V(g) W)*^ = {[x) eV0W : gx g\x) = \x)yg G 
G}, the invariant space of V ® W. The constant g^^d 
becomes dim(V (?) W)*^ and the state rvw is the state 
proportional to the identity on (V ® W)^ C V (g) W. 
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